< < SU08 : SU09 : SU10 > >

SU09: Device Certification and Enrollment

This service package is used to illustrate the certification of devices, typically but not exclusively those intended for the connected vehicle environment. This assumes some independent certification body that can verify the performance and behavior of devices and applications, and provide that information to credentials-granting entities.

Relevant Regions: Australia, Canada, European Union, and United States

Enterprise

Development Stage Roles and Relationships

Installation Stage Roles and Relationships

Operations Stage Roles and Relationships
(hide)

Source Destination Role/Relationship
Certification System Manager Certification System Manages
Certification System Manager Certification System Operator System Usage Agreement
Certification System Operator Certification System Operates
Certification System Owner Certification System Owns
Certification System Owner Certification System Manager Operations Agreement
Certification System Owner Cooperative ITS Credentials Management System Owner Information Provision Agreement
Certification System Supplier Certification System Owner Warranty
Cooperative ITS Credentials Management System Manager Cooperative ITS Credentials Management System Manages
Cooperative ITS Credentials Management System Manager Credentials Management System Operator System Usage Agreement
Cooperative ITS Credentials Management System Owner Cooperative ITS Credentials Management System Owns
Cooperative ITS Credentials Management System Owner Cooperative ITS Credentials Management System Manager Operations Agreement
Cooperative ITS Credentials Management System Owner ITS Object Owner Security Credentials License and Usage Agreement
Cooperative ITS Credentials Management System Owner Other Credentials Management Systems Owner Information Exchange Agreement
Cooperative ITS Credentials Management System Supplier Cooperative ITS Credentials Management System Owner Warranty
Credentials Management System Operator Cooperative ITS Credentials Management System Operates
ITS Object Manager ITS Object Manages
ITS Object Owner Certification System Owner Expectation of Information Provision
ITS Object Owner Cooperative ITS Credentials Management System Owner Expectation of Information Provision
ITS Object Owner ITS Object Owns
ITS Object Owner ITS Object Manager Operations Agreement
ITS Object Supplier ITS Object Owner Warranty
Other Credentials Management Systems Manager Other Credentials Management Systems Manages
Other Credentials Management Systems Owner Cooperative ITS Credentials Management System Owner Information Exchange Agreement
Other Credentials Management Systems Owner Other Credentials Management Systems Owns
Other Credentials Management Systems Owner Other Credentials Management Systems Manager Operations Agreement
Other Credentials Management Systems Supplier Other Credentials Management Systems Owner Warranty

Maintenance Stage Roles and Relationships

Physical

The physical diagram can be viewed in SVG or PNG format and the current format is SVG.
SVG Diagram
PNG Diagram


Display Legend in SVG or PNG

Includes Physical Objects:

Physical Object Class Description
Certification System Support The 'Certification System' verifies that devices and applications meet standards for participation in the ITS environment. Particular requirements vary depending on the type of certification; applications may be certified for performance and adherence to standards or specifications; devices may be similarly certified, and will also typically be subject to security-related interrogation.
Certification System Operator Support The 'Certification System Operator' represents the human operator who monitors and manages ITS device and application certification.
Cooperative ITS Credentials Management System Support The 'Cooperative ITS Credentials Management System' (CCMS) is a high-level aggregate representation of the interconnected systems that enable trusted communications between mobile devices and other mobile devices, roadside devices, and centers and protect data they handle from unauthorized access. Representing the different interconnected systems that make up a Public Key Infrastructure (PKI), this physical object represents an end user view of the credentials management system with focus on the exchanges between the CCMS and user devices that support the secure distribution, use, and revocation of trust credentials.
Credentials Management System Operator Support The 'Credentials Management System Operator' represents the person or people that monitor and manage the Cooperative ITS Credentials Management System. These personnel monitor and manage the secure distribution, use, and revocation of trust credentials.
ITS Object ITS The general 'ITS Object' includes core capabilities common to any class of object.
Other Credentials Management Systems Support Representing another Cooperative ITS Credentials Management System (CCMS), 'Other Credentials Management Systems' is intended to provide a source and destination for information exchange between peer credentials management systems. It supports modeling of projects or regions that include multiple interconnected CCMS that manage credentials distribution and management in the connected vehicle environment.

Includes Functional Objects:

Functional Object Description Physical Object
CCMS Enrollment 'CCMS Enrollment' components provide enrollment credentials to end entities. The end entity applies for and obtains enrollment credentials that can be used to communicate with other CCMS components, entering the "Unauthorized" state. CCMS Enrollment components also participate in de-registration processes through interaction with CCMS Revocation components. Cooperative ITS Credentials Management System
CCMS Provisioning 'CCMS Provisioning' components provide the end entity with material that allows it to enter the 'Unenrolled' state. This consists of root certificates and the crypto material that allows it to communicate securely with the Enrollment components. This function ensures the requesting entity meets requirements for provisioning and provides the certificates and relevant policy information to entities that meet the requirements. Cooperative ITS Credentials Management System
Certification of Applications 'Certification of Applications' verifies the performance and integrity of software for use in the ITS environment. It interacts with and monitors software in device configurations and verifies that the software is able to operate as specified; it may also certify that the software meets the requirements associated with particular services and should be entitled to application-specific credentials. Certification System
Certification of Devices 'Certification of Devices' verifies the performance, integrity and functionality of devices, including necessary firmware, for use in the ITS environment. It monitors software and hardware including radios, processors and tamper-related sensors to verify that the device and its operating software is able to operate as specified; it may also certify that the hardware and firmware meet the requirements associated with particular services and should be entitled to device-specific credentials. Certification System
ITS Management Support 'ITS Management Support' provides management of the ITS Object. This includes management of regulatory information and policies, management of application processes, management of communication system configuration and update management, communications interfaces, protocol-specific techniques to ensure interoperability such as service advertisements, communications congestion management and interference management, local device states and communications information, billing management, fault management, service level and performance monitoring. ITS Object
ITS Security Support 'ITS Security Support' provides communications and system security functions to the ITS Object, including privacy protection functions. It may include firewall, intrusion management, authentication, authorization, profile management, identity management, cryptographic key management. It may include a hardware security module and security management information base. ITS Object

Includes Information Flows:

Information Flow Description
application test response Response to an application stimulus, typically used to verify the application's performance and behavior.
application test stimulus Input provided to verify the performance of an application. Typically will prompt (stimulate) the target under examination in order to measure the response.
certification operator input User input from certification personnel that support monitoring, management, and documentation of the certification process and results.
certification operator presentation Presentation of certification information to personnel that supports monitoring, management, and documentation of the certification process and results.
certification results Identification of device (type) and certification tests that it passed and failed.
credentials management operator input User input from the credentials management system operator including requests to monitor current system operation and inputs to affect system operation.
credentials management operator presentation Presentation of information to the credentials management system operator including current operational status of the credentials management system.
device enrollment information Information provided by an end entity to support enrollment and authorization for the Connected Vehicle environment. This includes device identification, requested permissions and restrictions, and security credentials used to establish the current level of trust and eligibility for enrollment and authorization.
device test response Response to a device stimulus, typically used to verify the device's performance and behavior.
device test stimulus Input provided to verify the performance of a device. Typically will prompt (stimulate) the target under examination in order to measure the response.
enrollment coordination Sharing of enrollment policies, certification mechanisms, registration and deregistration identifier types, registered and deregistered end entities, and other information that supports enrollment process coordination with another CCMS.
enrollment credentials Long-term security credentials such as 'enrollment certificates' that demonstrate the trust-worthiness of the source device or application.
security policy and networking information Security policy information describing the CCMS' enrollment, authorization, misbehavior and revocation policies, and communications information related to CCMS components; including contact information and public credentials of those components.

Goals and Objectives

Associated Planning Factors and Goals

Planning Factor Goal
C. Increase the security of the transportation system for motorized and nonmotorized users; Improve the security of the transportation system

Associated Objective Categories

Objective Category
Security: Crime
Security: Terrorism, Natural Disasters, and Hazardous Material Incidents

Associated Objectives and Performance Measures

Objective Performance Measure
Enhance tracking and monitoring of sensitive Hazmat shipments Number of Hazmat shipments tracked in real-time
Reduce exposure due to Hazmat & homeland security incidents Homeland security incident response time
Reduce exposure due to Hazmat & homeland security incidents Number of Hazmat incidents
Reduce exposure due to Hazmat & homeland security incidents Number of homeland security incidents
Reduce security risks to motorists and travelers Number of critical sites with security surveillance
Reduce security risks to motorists and travelers Number of security incidents on roadways
Reduce security risks to transit passengers and transit vehicle operators Number of security incidents at transit facilities
Reduce security risks to transit passengers and transit vehicle operators Number of security incidents on transit vehicles
Reduce security risks to transit passengers and transit vehicle operators Number of transit facilities and vehicles under security surveillance
Reduce security risks to transportation infrastructure Number of critical sites with hardened security enhancements
Reduce security risks to transportation infrastructure Number of critical sites with security surveillance
Reduce security risks to transportation infrastructure Number of security incidents on transportation infrastructure


 
Since the mapping between objectives and service packages is not always straight-forward and often situation-dependent, these mappings should only be used as a starting point. Users should do their own analysis to identify the best service packages for their region.

Needs and Requirements

Need Functional Object Requirement
01 The CCMS Operator needs to provide a mechanism for a user without credentials to request credentials, so that the user may participate in the CVE. CCMS Enrollment 01 The Center shall provide enrollment credentials in response to valid enrollment requests.
02 The Center shall coordinate the distribution of enrollment credentials with other Centers.
03 The Center shall verify information received in enrollment requests.
CCMS Provisioning 01 The Center shall provide security and regulatory policy information to ITS Objects.
Certification of Applications 02 The center shall provide ITS Object application certification results to the CCMS.
Certification of Devices 02 The center shall provide ITS Object device certification results to the CCMS.
ITS Management Support 06 The ITS Object shall acquire regulatory information relevant to the operation of the ITS Object from the CCMS.
ITS Security Support 02 The ITS Object shall request enrollment credentials from the CCMS.
02 Certification Operators need to be able to quantify the performance of ITS Objects so that an object's conformance to necessary performance requirements may be defined Certification of Applications 01 The center shall exercise ITS Objects to determine their conformance to application specifications.
02 The center shall provide ITS Object application certification results to the CCMS.
Certification of Devices 01 The center shall exercise ITS Objects to determine their conformance to device specifications.
02 The center shall provide ITS Object device certification results to the CCMS.

Related Sources

Document Name Version Publication Date
Harmonization Task Group #6, HTG6-4 Cooperative-ITS Credential Management System Functional Analysis and Recommendations for Harmonization 2015-04-03 4/3/2015
ITS User Services Document 1/1/2005
Security Credential Management System Design Draft 4/13/2012


Security

In order to participate in this service package, each physical object should meet or exceed the following security levels.

Physical Object Security
Physical Object Confidentiality Integrity Availability Security Class
Certification System High High High Class 5
Cooperative ITS Credentials Management System High High High Class 5
ITS Object High High High Class 5
Other Credentials Management Systems High High High Class 5



In order to participate in this service package, each information flow triple should meet or exceed the following security levels.

Information Flow Security
Source Destination Information Flow Confidentiality Integrity Availability
Basis Basis Basis
Certification System Certification System Operator certification operator presentation High High High
This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE or LOW confidentiality requirement, then this could be MODERATE or LOW, as appropriate. This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE integrity requirement, then this could be MODERATE. Any application testing or certification will fail without the ability to stimulate and receive responses. Thus unlike most super-flow characteristics, this is set HIGH as without availability there is no chance of success.
Certification System Cooperative ITS Credentials Management System certification results High High Moderate
This flow contains information that identifies the device and a description of its performance related to a set of tests. This may also include what the device is allowed to do in an operational environment. If this information were compromised, an attacker may be able to leverage this information to compromise the device or its users. Certification information needs to be correct so that enrollment processes can be properly managed, or unqualified devices may acquire credentials. If this flow is not available, the relevant device types will not be able to enroll in C-ITS. This would limit the growth of the overall system. There is no backup. However, the system in-place would not fail, which is why this is limited to MODERATE.
Certification System ITS Object application test stimulus High High High
This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE or LOW confidentiality requirement, then this could be MODERATE or LOW, as appropriate. This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE integrity requirement, then this could be MODERATE. Any application testing or certification will fail without the ability to stimulate and receive responses. Thus unlike most super-flow characteristics, this is set HIGH as without availability there is no chance of success.
Certification System ITS Object device test stimulus High High High
This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE or LOW confidentiality requirement, then this could be MODERATE or LOW, as appropriate. This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE integrity requirement, then this could be MODERATE. Any application testing or certification will fail without the ability to stimulate and receive responses. Thus unlike most super-flow characteristics, this is set HIGH as without availability there is no chance of success.
Certification System Operator Certification System certification operator input High High High
This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE or LOW confidentiality requirement, then this could be MODERATE or LOW, as appropriate. This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE integrity requirement, then this could be MODERATE. Any application testing or certification will fail without the ability to stimulate and receive responses. Thus unlike most super-flow characteristics, this is set HIGH as without availability there is no chance of success.
Cooperative ITS Credentials Management System Credentials Management System Operator credentials management operator presentation Not Applicable High High
System core flows should have some protection from casual viewing, as otherwise imposters could gain illicit control over core equipment Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system. Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system.
Cooperative ITS Credentials Management System ITS Object enrollment credentials High High Moderate
Credentials need to be delivered to their intended target only. Interception and potential use by a third party compromises the C-ITS trust model. Credentials need to be correct and intact on delivery, or they will not be functional. Without functional credentials, the end entity cannot operate. Credentials will be granted as needed but generally not in real-time with operations; that is, an end entity will request credentials a significant time in advance of actually needing them for providing user services.
Cooperative ITS Credentials Management System ITS Object security policy and networking information Low High High
Policy information is expected to be made generally available to all C-ITS devices. Likely no harm in observation by actors outside of ITS. Certificate policy for example is often openly published. Policy information must be correct, or end entities may make decisions that lead to them becoming untrusted, which if occuring over a wide scale, would cripple the C-ITS environment. Policy information distribution must occur prior to an end entity encountering a change in policy. For example, at border crossings.
Cooperative ITS Credentials Management System Other Credentials Management Systems enrollment coordination High High High
Coordination of credentialing and revocation should be maintained between the trust authorities and no one else. Outside observers may learn CCMS behaviors and may gain understanding of the timings between revocation/granting at one authority vs. propogation to another, which may enable attacks. Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment. Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.
Credentials Management System Operator Cooperative ITS Credentials Management System credentials management operator input Not Applicable High High
System core flows should have some protection from casual viewing, as otherwise imposters could gain illicit control over core equipment Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system. Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system.
ITS Object Certification System application test response High High High
This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE or LOW confidentiality requirement, then this could be MODERATE or LOW, as appropriate. This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE integrity requirement, then this could be MODERATE. Any application testing or certification will fail without the ability to stimulate and receive responses. Thus unlike most super-flow characteristics, this is set HIGH as without availability there is no chance of success.
ITS Object Certification System device test response High High High
This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE or LOW confidentiality requirement, then this could be MODERATE or LOW, as appropriate. This value is derived from the specific flows satisfied by this super-flow. HIGH is set because some flows may require it. If the implementation includes flows with only a MODERATE integrity requirement, then this could be MODERATE. Any application testing or certification will fail without the ability to stimulate and receive responses. Thus unlike most super-flow characteristics, this is set HIGH as without availability there is no chance of success.
ITS Object Cooperative ITS Credentials Management System device enrollment information High High Moderate
This flow contains information that identifies the device and what it is allowed to do. If this information were compromised, an attacker may be able to impersonate the legitimate device. Enrollment information needs to be correct so that revocation processes can be properly managed, or it may be impossible to de-authorize a compromised or malfunctioning device. If this flow is not available, the source system cannot enroll in C-ITS. This would limit the growth of the overall system. There is no backup. However, the system in-place would not fail, which is why this is limited to MODERATE.
Other Credentials Management Systems Cooperative ITS Credentials Management System enrollment coordination High High High
Coordination of credentialing and revocation should be maintained between the trust authorities and no one else. Outside observers may learn CCMS behaviors and may gain understanding of the timings between revocation/granting at one authority vs. propogation to another, which may enable attacks. Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment. Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.

Standards

The following table lists the standards associated with physical objects in this service package. For standards related to interfaces, see the specific information flow triple pages.

Name Title Physical Object
FIPS 140-2 Security Requirements for Cryptographic Modules ITS Object
ISO 21217 Architecture Intelligent transport systems -- Communications access for land mobiles (CALM) -- Architecture ITS Object